Struct ApprovalScope 

pub struct ApprovalScope {
    pub max_actions: Option<u32>,
    pub valid_until: Option<String>,
    pub allowed_actors: Vec<String>,
    pub allowed_actions: Vec<String>,
    pub allowed_subjects: Vec<String>,
    pub extra: Option<Value>,
}

Scope constraints on an approval — who may perform what against which subject, how many times, and until when.

Treeship’s verify pass enforces these constraints statelessly (every field except max_actions can be checked from the signed envelope alone). max_actions is signed into the grant so a future ledger / Hub layer can enforce single-use across the global view; for now it is descriptive, and verify reports the replay-check posture honestly rather than claiming enforcement that did not happen.

An empty allowed_* list means “no constraint on that axis.” All-empty scope is equivalent to no scope at all (an unscoped / bearer approval) — which verify flags with a warning so callers know the binding is the only thing being attested.

Fields

max_actions: Option<u32>

Maximum number of actions this approval authorises. Signed into the grant for future stateful enforcement; not yet checked statelessly.

valid_until: Option<String>

ISO 8601 timestamp after which the approval is no longer valid. Independent of ApprovalStatement.expires_at so a single approval can have an outer “key valid until X” and a tighter “scope valid until Y” if the operator wants both. Verify enforces both.

allowed_actors: Vec<String>

Actor URIs permitted to consume this approval. Empty = no constraint on actor.

allowed_actions: Vec<String>

Action labels permitted under this approval. Empty = no constraint on action.

allowed_subjects: Vec<String>

Subject URIs permitted as the target of an action under this approval. Matched against ActionStatement.subject.uri (or artifact_id for chain-internal subjects). Empty = no constraint on subject.

extra: Option<Value>

Arbitrary additional constraints (e.g. max payment amount).

Implementations

impl ApprovalScope

pub fn is_unscoped(&self) -> bool

True when no constraint axis is populated. An unscoped approval proves only nonce binding – it does NOT bind actor, action, or subject. Verify warns when this is true so the audit reader knows the limit of what was signed.

Trait Implementations

impl Clone for ApprovalScope

fn clone(&self) -> ApprovalScope

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for ApprovalScope

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for ApprovalScope

fn default() -> ApprovalScope

Returns the “default value” for a type.

impl<'de> Deserialize<'de> for ApprovalScope

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl Serialize for ApprovalScope

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.